{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1678", "assignerOrgId": "e2e69745-5e70-4e92-8431-deb5529a81ad", "state": "PUBLISHED", "assignerShortName": "zephyr", "dateReserved": "2026-01-30T05:48:49.746Z", "datePublished": "2026-03-05T06:21:36.907Z", "dateUpdated": "2026-03-05T15:28:42.914Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "Zephyr", "product": "Zephyr", "repo": "https://github.com/zephyrproject-rtos/zephyr", "vendor": "zephyrproject-rtos", "versions": [{"lessThanOrEqual": "4.3", "status": "affected", "version": "*", "versionType": "git"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "dns: memory\u2011safety issue in the DNS name parser"}], "value": "dns_unpack_name() caches the buffer tailroom once and reuses it while appending DNS labels. As the buffer grows, the cached size becomes incorrect, and the final null terminator can be written past the buffer. With assertions disabled (default), a malicious DNS response can trigger an out-of-bounds write when CONFIG_DNS_RESOLVER is enabled."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-787", "description": "Out-of-bounds Write", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e2e69745-5e70-4e92-8431-deb5529a81ad", "shortName": "zephyr", "dateUpdated": "2026-03-05T06:21:36.907Z"}, "references": [{"url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-536f-h63g-hj42"}], "source": {"discovery": "UNKNOWN"}, "title": "dns: memory\u2011safety issue in the DNS name parser", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"references": [{"url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-536f-h63g-hj42", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-05T15:27:59.030104Z", "id": "CVE-2026-1678", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-05T15:28:42.914Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1678", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-05T15:27:59.030104Z"}}}], "references": [{"url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-536f-h63g-hj42", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-05T15:27:52.161Z"}}], "cna": {"title": "dns: memory\u2011safety issue in the DNS name parser", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.4, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/zephyrproject-rtos/zephyr", "vendor": "zephyrproject-rtos", "product": "Zephyr", "versions": [{"status": "affected", "version": "*", "versionType": "git", "lessThanOrEqual": "4.3"}], "packageName": "Zephyr", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-536f-h63g-hj42"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "dns_unpack_name() caches the buffer tailroom once and reuses it while appending DNS labels. As the buffer grows, the cached size becomes incorrect, and the final null terminator can be written past the buffer. With assertions disabled (default), a malicious DNS response can trigger an out-of-bounds write when CONFIG_DNS_RESOLVER is enabled.", "supportingMedia": [{"type": "text/html", "value": "dns: memory\u2011safety issue in the DNS name parser", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "e2e69745-5e70-4e92-8431-deb5529a81ad", "shortName": "zephyr", "dateUpdated": "2026-03-05T06:21:36.907Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1678", "state": "PUBLISHED", "dateUpdated": "2026-03-05T15:28:42.914Z", "dateReserved": "2026-01-30T05:48:49.746Z", "assignerOrgId": "e2e69745-5e70-4e92-8431-deb5529a81ad", "datePublished": "2026-03-05T06:21:36.907Z", "assignerShortName": "zephyr"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:zephyrproject:zephyr:*:*:*:*:*:*:*:*", "matchCriteriaId": "7D912614-A39E-4C9B-AA54-187BC26337B9", "versionEndIncluding": "4.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "dns_unpack_name() caches the buffer tailroom once and reuses it while appending DNS labels. As the buffer grows, the cached size becomes incorrect, and the final null terminator can be written past the buffer. With assertions disabled (default), a malicious DNS response can trigger an out-of-bounds write when CONFIG_DNS_RESOLVER is enabled."}, {"lang": "es", "value": "dns_unpack_name() almacena en cach\u00e9 el espacio restante del b\u00fafer una vez y lo reutiliza al adjuntar etiquetas DNS. A medida que el b\u00fafer crece, el tama\u00f1o almacenado en cach\u00e9 se vuelve incorrecto, y el terminador nulo final puede escribirse m\u00e1s all\u00e1 del b\u00fafer. Con las aserciones deshabilitadas (por defecto), una respuesta DNS maliciosa puede desencadenar una escritura fuera de los l\u00edmites cuando CONFIG_DNS_RESOLVER est\u00e1 habilitado."}], "id": "CVE-2026-1678", "lastModified": "2026-03-09T18:33:42.917", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.5, "source": "vulnerabilities@zephyrproject.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-05T07:16:11.437", "references": [{"source": "vulnerabilities@zephyrproject.org", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-536f-h63g-hj42"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-536f-h63g-hj42"}], "sourceIdentifier": "vulnerabilities@zephyrproject.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "vulnerabilities@zephyrproject.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,4.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Zephyr", "source": "cna", "vendor": "zephyrproject-rtos"}, "product": "zephyr", "vendor": "zephyrproject-rtos"}], "analysis": {"en": {"generated_at": "2026-04-16T12:32:04.771893+00:00", "value": {"mitigation_remediation": ["Disable the DNS resolver by removing CONFIG_DNS_RESOLVER from the Zephyr build configuration.", "Update Zephyr to the latest version or apply the vendor\u2019s patch that addresses the dns_unpack_name bounds checking flaw.", "Monitor DNS traffic for anomalous responses and segment the network to limit exposure of vulnerable devices."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Zephyr RTOS builds that include the DNS resolver (CONFIG_DNS_RESOLVER). The advisory does not specify precise version numbers, so any Zephyr instance with the resolver enabled may be vulnerable.", "description_and_impact": "dns_unpack_name caches the buffer tailroom once and reuses it while appending DNS labels. As the buffer expands, the cached size becomes incorrect and the final null terminator can be written past the buffer. With assertions disabled and CONFIG_DNS_RESOLVER enabled, a malicious DNS response can trigger an out\u2011of\u2011bounds write. This memory corruption can allow an attacker to overwrite adjacent memory, potentially leading to arbitrary code execution or a system crash, consistent with the CWE\u2011787 buffer overflow weakness.", "risk_and_exploitability": "The CVSS score of 9.4 signals a high severity, while the EPSS score of <1% indicates a low current exploitation likelihood and the vulnerability is not listed in the KEV catalog. The likely attack vector is remote: an adversary can craft a DNS response that targets a device running the vulnerable resolver, triggering the out\u2011of\u2011bounds write. Successful exploitation could allow arbitrary code execution or denial of service."}}}}, "created": "2026-03-06T15:08:05.610955+00:00", "updated": "2026-04-16T12:45:35.842809+00:00", "vendors": ["zephyrproject-rtos", "zephyrproject-rtos$PRODUCT$zephyr"]}